Ubuntu
gnome-keyring package

old session keyring still on disk

Bug #546446 reported by Kees Cook
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-keyring (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu ubuntu-10.04-beta-2
Lucid
Fix Released
High
Martin Pitt
Ubuntu ubuntu-10.04-beta-2

Bug Description

Binary package hint: gnome-keyring

While bug 539180 was fixed, the old gnome-keyring that was running for anyone with lucid devel will have still left a ~/.gnome2/keyrings/session.keyring (which is still loaded). A fixed gnome-keyring needs to delete the session.keyring from the disk as well as never save it.

Kees Cook (kees)
Changed in gnome-keyring (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-2
importance: Undecided → High
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
security vulnerability: no → yes
Martin Pitt (pitti)
Changed in gnome-keyring (Ubuntu Lucid):
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Note to self: We should add code to g-k startup which does this:

 if ~/.gnome2/keyrings/session.keyring exists:
     open it, overwrite with zeros, close
     unlink

We should keep this until shortly before lucid final.

Martin Pitt (pitti)
Changed in gnome-keyring (Ubuntu Lucid):
assignee: Canonical Desktop Team (canonical-desktop-team) → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

Proposed patch:

http://bazaar.launchpad.net/%7Eubuntu-desktop/gnome-keyring/ubuntu/annotate/head%3A/debian/patches/04_clean_session_keyring.patch

Kees, mind eyeballing it?

Revision history for this message
Martin Pitt (pitti) wrote :

I tested this both end-to-end (complete boot) as well as with creating fake session.keyring files and calling g-k-m manually. Works fine here, the file is zeroed and then removed.

Still awaiting signoff from Kees.

Changed in gnome-keyring (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-keyring - 2.92.92git20100322-0ubuntu2

---------------
gnome-keyring (2.92.92git20100322-0ubuntu2) lucid; urgency=low

  * Add 04_clean_session_keyring.patch: Earlier versions of gnome-keyring
    (intra-lucid development) accidentally wrote the session keyring to disk.
    Clean it up on startup. This needs to be kept until after beta-2,
    preferably shortly before lucid final. (LP: #546446)
 -- Martin Pitt <email address hidden> Thu, 25 Mar 2010 18:09:08 +0100

Changed in gnome-keyring (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.